Page 1 of 1

Remove unsecure SHA1 ciphers

Posted: 2021-03-15 23:08
by Remy64
Hello,

On last Filezilla server software (0.9.60.2 beta) there are unsecure ciphers accepted :

DHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-CAMELLIA128-SHA,DHE-RSA-CAMELLIA256-SHA,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA,AES128-SHA,AES256-SHA,CAMELLIA128-SHA,CAMELLIA256-SHA

There are unsecure because the MAC algorithm is SHA1 which is not secure anymore.

Could you please tell me how I can remove these ciphers ?

Thanks,

Best Regards

Re: Remove unsecure SHA1 ciphers

Posted: 2021-03-16 08:23
by botg
There is currently no way to do this.

Re: Remove unsecure SHA1 ciphers

Posted: 2021-03-16 20:51
by Remy64
Thanks for your quick answer.

Maybe I ask too much but is it possible to make a new version like 0.9.60.3 beta with exclusion of this kinds of ciphers by add !SHA to the line 1092 of the file AsyncSslSocketLayer.cpp ?

Like :

pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP:!SHA");

Instead of :

pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP");

It's kindly request, you already developped application and I'm happy to use it for free.

If it's possible I'm will be more happy :D

Have a good day

Best Regards

Re: Remove unsecure SHA1 ciphers

Posted: 2021-04-07 15:39
by boco
It is not possible to compile a new version of the old server code anymore. To my knowledge, it doesn't compile correctly anymore on a new compiler/linker.

However, there is a completely new server in the works.